As well known, firewalls in network communications systems guard a trusted network from an outside network, such as the Internet. In this regard, firewalls typically build the entire trust at the perimeter of the trusted network, however, the locations and identifications of the firewalls are typically not revealed to the users of the trusted network. In operation, firewalls act on the incoming traffic to the trusted network and determine whether to allow the incoming traffic to pass to a destination within the trusted network. Typically, to determine whether to allow the incoming traffic to pass into the trusted network, most firewalls maintain an access control list (ACL) that includes parameters for allowing traffic to pass into the network. Generally, firewalls operate according to a default policy of prohibiting incoming traffic from passing into the trusted network, unless the incoming traffic meets the parameters configured in the ACL.
Many access networks have a content distribution and content caching framework to provide proxy services for low bandwidth devices. In such cases, the user of the network needs to describe the capabilities to its local proxy. From the user's perspective, however, the client application is merely downloading content from the local proxy/cache. In such instances, creating an opening in the firewall, often referred to as a pinhole, is not typically a concern for the client. In other instances, however, pinhole creation is desired for setting up communication sessions. For example, a user in the trusted network may desire to have a pinhole in the firewall to conduct a real-time audio or video conversation where the use of proxy services would add additional jitter and delay in extra processing. As another example, a user in a smaller, unmanaged network that does not provide local proxy services may desire to have a pinhole in the firewall. Such unmanaged networks typically have an Authentication, Authorization and Accounting (AAA) and/or firewall to authorize the users and to protect the users from outside networks.
Conventionally, firewalls are configured manually, and may be configured to include one or more pinholes. Manually configuring such pinholes, however, greatly restricts the flexibility of communication services that can be offered by the users of the trusted network and other users who communicate with users of the trusted network. In this regard, the pinholes have to be manually created for a particular session in advance of the session, such as by an administrator. For modem communication protocols, very often the ports used are dynamically allocated during run time and not determined in advance. In these scenarios, the conventional, static configuration of firewalls typically cannot provide the necessary services.